CVE-2026-47696
4.3 MEDIUMWWBN AVideo is an open source video platform
Published: 2026-05-29 · Last updated: 2026-06-01
Severity and scoring
- CVSS
- 4.3 MEDIUM
- Vector
- CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
- CWE
- CWE-345
Affected products
| Vendor | Product |
|---|---|
| wwbn | avideo |
Description
WWBN AVideo is an open source video platform. In 29.0 and earlier, plugin/AuthorizeNet/processPayment.json.php credits the logged-in user's wallet based only on the attacker-controlled amount POST parameter. The endpoint contains a TODO for real Authorize.Net charging, hardcodes $paymentSuccess = true, and then calls YPTWallet::addBalance() without validating any Authorize.Net transaction, webhook signature, hosted payment token, nonce, or server-side payment record. This allows any logged-in user to add arbitrary funds to their own AVideo wallet when the AuthorizeNet and YPTWallet plugins are enabled.
Source: NVD
References
Related CVEs
Same vendor
- CVE-2026-47694 — WWBN AVideo is an open source video platform (5.4 MEDIUM)
- CVE-2026-46337 — WWBN AVideo is an open source video platform (5.3 MEDIUM)
- CVE-2026-45731 — WWBN AVideo is an open source video platform (4.9 MEDIUM)
- CVE-2026-45620 — WWBN AVideo is an open source video platform (5.3 MEDIUM)
- CVE-2026-45619 — WWBN AVideo is an open source video platform (6.5 MEDIUM)
Same CWE
- CVE-2026-46654 — Plonky3 is a toolkit for polynomial IOPs (PIOPs)
- CVE-2026-48096 — OpenFGA is an authorization/permission engine built for developers (5.0 MEDIUM)
- CVE-2026-46539 — Nimiq is a Rust implementation of the Nimiq Proof-of-Stake protocol based on the Albatross consensus algorithm (5.9 MEDIUM)
- CVE-2026-7792 — The WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More plugin for WordPress is vulnerable to Insuf... (5.3 MEDIUM)
- CVE-2026-8608 — The Event Monster – Event Management, Events Calendar, Tickets plugin for WordPress is vulnerable to Insufficient Verification of Data Au... (5.3 MEDIUM)